Keeping an eye on efforts to protect the privacy and security of personal healthcare information

But three recent breach incidents, each involving the loss or theft of back-up drives, illustrate that some organizations are doing a far better job than others in informing consumers about the steps they're taking to prevent breaches.

Maryville Academy Incident

For example, an Illinois childcare agency explained a revised security policy, including the use of encryption, in its website statement about a breach involving the apparent theft of three unencrypted back-up portable hard drives. (See: Breach Incident Triggers Encryption).

So which approach is best for building trust? And which approach would your organization take? Are you sure?

"All data security policies and procedures have been reviewed and updated, including the maintenance of back-up hard drives. To protect against any future breaches, Maryville Academy has changed the location of its local site and the manner for storing any back-up hard drives and has upgraded the security for this purpose.

"In addition, Maryville Academy is now in full compliance with the U.S. Department of Health and Human Services' recommended procedure of using data encryption to protect clients' health information. Maryville Academy has begun a practice of using specialized security software to completely encrypt all the records on these back-up hard drives. This encryption software scrambles the data on the back-up hard drives, which makes the information unusable in the event they are ever lost or stolen in the future."

The statement makes it clear that the organization has taken tangible action and explains it in laymen's terms. Not bad for a relatively small organization that experienced a breach affecting about 4,000 youths.

NYC Health and Hospitals Incident

In the aftermath of that breach, which involved unencrypted back-up tapes stolen from a truck that was transporting them for secure storage, the organization said:

"HHC has taken immediate measures to prevent a similar situation from reoccurring; has terminated the contract with the vendor responsible for the loss; and has filed a lawsuit against the vendor to hold it responsible for covering all of the costs associated with notifying all affected individuals, and to pay for other damages related to the loss of the data."

Plus, a spokesman acknowledged, when I requested more information, that while the organization had encrypted most of its backup files, the tapes that were stolen had not yet been encrypted. "HHC has been undergoing a multi-year data center consolidation project, which requires the careful transition and transfer of all data backup systems to the new center for storage," the spokesman said. "As part of this process, HHC had to standardize data systems across the hospitals and encrypt all clinical systems backups. HHC has already encrypted more than 80 percent of the data. The (stolen) hospital system files were scheduled for the necessary migration and encryption in March 2011."

Health Net Incident

In contrast, when insurer Health Net
posted a statement about a breach that may have affected as many as 1.9 million, it offered no details about its action steps. And a spokesman declined to answer questions. But regulators in several states have issued statements of their own about the incident (See: Health Net Faces Another Investigation).

So which approach is best for building trust? And which approach would your organization take? Are you sure?

About the Author

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.